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Abstract 


To  address  the  Community  of  Practice  (CoP)  objective  of  evaluating  the  utility  of  potential 
biometrics  techniques  that  could  be  used  to  enhance  the  security  of  Information  Technology  (IT) 
systems,  including  Supervisory  Control  And  Data  Acquisition  (SCADA)  systems  and  e- 
Govemment  services,  the  Study  Team  for  PSTP-02-336BIOM  developed  a  framework  for 
addressing  biometric  vulnerabilities,  researched  case  study  examples  of  existing  deployed 
biometric  systems,  and  conducted  a  small-scale  evaluation  to  compare  the  utility  of  biometrics  vs. 
passwords. 

In  developing  the  framework,  the  Study  Team  researched  existing  biometric  evaluation 
frameworks  to  identify  gaps,  and  synthesized  a  practical  framework  aimed  at  an  audience  of  IT 
security  practitioners,  with  the  intent  of  addressing  the  growing  use  of  biometrics  in  government 
applications  and  the  implications  that  it  has  on  IT  systems  security. 

The  Study  Team  also  conducted  a  preliminary  comparative  evaluation  of  the  utility  of  biometrics 
vs.  passwords  as  a  single-factor  authentication  method  using  experimental  test  trials  and  a  user 
survey.  Comparison  criteria  included:  whether  or  not  user  access  is  granted,  number  of  attempts, 
and  usability.  The  evaluation  confirmed  experimentally  that  single-factor  biometric  technology  is 
a  viable  and  user-accepted  means  of  authentication  for  IT  system  access  that  is  at  least  as  fast  and 
reliable  as  username-password  methods. 


Resume 


Pour  atteindre  Tobjectif  de  la  communaute  des  praticiens  (CP)  d’evaluer  Tutilite  des  techniques 
de  biometrie  qui  pourraient  etre  utilisees  pour  ameliorer  la  securite  des  systemes  informatiques,  y 
compris  les  systemes  SCADA  (telesurveillance  et  acquisition  de  donnees),  et  les  services  e- 
gouvemement,  Tequipe  d’etude  pour  PTSP-02-336BIOM  a  elabore  un  cadre  pour  s’attaquer  aux 
vulnerabilites  biometriques,  a  fait  des  recherches  sur  des  etudes  de  cas  des  systemes  biometriques 
existants  deployes,  et  a  mene  une  evaluation  a  petite  echelle  pour  comparer  Tutilite  de  la 
biometrie  contre  les  mots  de  passe. 

Dans  T  elaboration  du  cadre,  Tequipe  d’etude  a  fait  des  recherches  sur  des  cadres  devaluation 
biometrique  existants  pour  identifier  les  lacunes,  et  a  synthetise  d’un  cadre  pratique  destine  aux 
professionnels  de  la  securite  de  technologies  de  Tinformation  (TI),  avec  Tintention  de  s’attaquer  a 
Tutilisation  croissante  de  la  biometrie  dans  les  applications  gouvernementales  et  les  consequences 
qu’elle  a  sur  les  systemes  de  securite  de  TI. 

L’equipe  d’etude  a  egalement  effectue  une  evaluation  comparative  preliminaire  de  Tutilite  de  la 
biometrie  contre  les  mots  de  passe  en  tant  que  methode  d’authentification  a  un  seul  facteur  a 
l’aide  d’essais  experimentaux  et  une  enquete  aupres  des  utilisateurs.  Les  criteres  de  comparaison 
ont  compris  :  si  ou  non  l’acces  des  utilisateurs  est  accorde,  le  nombre  d’essais,  et  la  facilite 
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d’utilisation.  devaluation  a  confirme  experimentalement  que  la  technologie  biometrique  seul- 
doigt  est  un  moyen  viable  et  acceptee  par  l’utilisateur  d’authentification  pour  l’acces  au  systeme 
informatique  qui  est  au  moins  aussi  rapide  et  fiable  que  les  methodes  de  nom  d’utilisateur-mot  de 
passe. 
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Executive  summary 


Assessing  Vulnerability  of  Biometric  Technologies  for  Identity 
Management  Applications:  Final  Report 

Smeaton,  D.;  Nanavati,  R.;  Wong,  B.;  Waung,  D.;  Coleman,  D.,  Hart,  C.;  Unwala, 
A.;  DRDC  CSS  CR  CR-2011-19;  Defence  R&D  Canada  -  CSS;  October  2011. 

Background  and  Objectives:  The  Defence  Research  and  Development  Canada  (DRDC)  Public 
Security  Technical  Program  (PSTP)  maintains  a  Surveillance,  Intelligence,  and  Interdiction  (SI2) 
Domain.  Within  this  Domain,  two  investment  priorities  were  identified  under  the  Biometrics  for 
National  Security  Community  of  Practice  (CoP)  as  part  of  PSTP  Call  for  Proposals  2  in 
December  2009.  The  first  Statement  of  Work  (SOW),  “Role  of  Biometrics  in  Identity 
Management  for  IT  System  Access  Control”,  describes  an  assessment  of  biometric  options  in 
identity  assurance  framework  as  it  relates  to  IT  systems,  including  SCADA  systems  and  e- 
govemment  services,  and  vulnerability  testing  &  analysis  of  the  relationship  between  system 
performance  and  security  strength  of  function.  In  October  2010,  IBG-Canada  was  awarded 
contract  PSTP-02-336BIOM  to  execute  a  Study  on  this  topic.  Communications  Security 
Establishment  Canada  (CSEC)  served  as  the  Lead  Federal  Department  for  the  Study,  and  IBG- 
Canada  served  as  the  Lead  Applicant.  Other  Study  Partners  included:  Canada  Border  Services 
Agency  (CBSA),  Foreign  Affairs  and  International  Trade  Canada  (DFAIT),  DRDC-Toronto, 
Office  of  the  Privacy  Commissioner  of  Canada  (OPC),  Royal  Canadian  Mounted  Police  (RCMP), 
Transport  Canada,  University  of  Toronto  (U  of  T)  /  Identity,  Privacy  and  Security  Institute  (IPSI), 
GenKey,  priv-ID,  and  Reboot  Communications. 

Agencies  and  departments  within  the  Government  of  Canada  need  information  on  the 
performance,  vulnerabilities  and  effectiveness  of  biometric  solutions  for  identity  management 
access  control  applications,  including  SCADA  systems  and  e-Government  services.  Documents 
such  as  Information  Technology  Security  Guidance  ITSG-31  User  Authentication  Guidance  for 
IT  Systems  notwithstanding,  few  guidance  documents  consider  biometrics  as  a  robust  standalone 
authentication  technique.  Product-focused  evaluation  frameworks  are  costly  and  time-consuming, 
and  overlook  human  elements  that  can  drive  performance,  security,  and  vulnerabilities.  An 
improved  framework  that  incorporates  biometric-based  factors  improves  the  CoP’s  ability  to 
operationalize  biometric  technologies. 

Therefore,  the  first  objective  of  the  Study  was  to  evaluate  the  potential  vulnerability  and  utility  of 
biometric  technologies  for  Government  use  in  IT  system  access  control  applications  and  e- 
Govemment  services.  This  objective  addressed  the  Biometric  CoP’s  goal  to  evaluate,  analyze, 
and  support  biometric  technology  implementations  that  enhance  national  capabilities. 

The  second  objective  was  to  improve  the  ability  of  Canadian  Government  Agencies  to  identify 
and  mitigate  security  vulnerabilities  and  privacy  risks,  and  preserve  interoperability  in  ID 
management  systems,  by  producing  guidance  for  decision-makers  with  respect  to  deploying 
biometric  technology  as  a  method  for  single-factor  authentication. 

Framework  Development:  Building  upon  CSEC’s  Technical  Research  Report  on  Biometrics  for 
Authentication  for  Enterprise  Security  Architectures,  and  input  from  CSEC,  OPC  and  other 
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Federal  partners,  IBG’s  team  of  technology  experts,  researchers  and  analysts  compared  the  utility 
of  biometrics  against  other  authentication  methods  such  as  passwords  and  cryptographic  tokens. 

The  project  team  conducted  a  survey  of  existing  biometric  vulnerability  assessment  frameworks, 
as  well  as  recent  privacy  policy  documents,  reviewing  common  IT  evaluation  frameworks  and 
identifying  gaps.  These  frameworks  included:  the  Common  Criteria  for  Biometric  Evaluation 
Methodology  Supplement  (BEM),  ISO/IEC  19792  Security  evaluation  of  a  biometric  system,  and 
CSEC  ITSG-31  User  Authentication  Guidance  for  IT  Systems. 

The  project  team  then  synthesized  a  practical  framework  aimed  at  IT  security  practitioners,  who 
may  not  be  familiar  with  biometrics  as  an  authentication  method.  The  framework  will  help 
practitioners  and  decision-makers  understand  and  evaluate  biometric  technologies  as  a  viable 
method  for  authentication. 

Case  Study  Analyses:  Case  study  analyses  were  conducted  by  researching  deployed  operational 
biometric  systems  in  Canadian  and  international  settings  and  describing  them  in  terms  of  metrics 
discussed  in  the  synthesized  and  existing  frameworks.  These  descriptions  serve  as  examples  of 
successful  deployments  of  biometrics  for  applications  that  may  be  of  interest  to  the  Government 
of  Canada. 

Comparative  Evaluation:  For  the  comparative  evaluation,  the  Study  team  developed  a  test 
methodology  and  plan  for  directly  comparing  the  utility  of  biometric  authentication  to  password 
authentication  through  an  experimental  test  using  a  small  set  of  Test  Subjects  and  trials.  The 
project  team  built  a  test  platform  that  simulates  the  user  login  experience  using  a  representative 
fingerprint  biometric  system  and  a  username -password  authentication  system,  while  collecting 
measurable  criteria  such  as: 

•  Whether  access  was  granted; 

•  Number  of  attempts  before  gaining  access;  and 

•  Time  to  authenticate. 

Data  on  additional  metrics  such  as  ease-of-use  and  user  acceptance  were  collected  using  a  user 
survey  conducted  after  the  test  trials.  At  the  end  of  the  evaluation,  the  recorded  data  was 
aggregated  and  analyzed. 

Evaluation  Results:  The  test  results  confirmed  experimentally  that  single-factor  biometric 
technology  is  a  viable  and  user-accepted  means  of  authentication  for  IT  system  access  that  is  at 
least  as  fast  and  accurate  as  username -password  methods.  The  test  results  also  suggested  that  the 
performance  of  the  biometric  technology  may  be  better  than  that  of  username-password  methods 
in  terms  of  a  higher  proportion  of  successful  access  attempts  for  daily  as  well  as  intermittent  use. 

The  test  results  and  user  survey  showed  that  a  large  number  of  Test  Subjects  wrote  down  their 
passwords,  used  “weak”  passwords  that  were  easier  to  remember,  and/or  used  the  same  password 
for  multiple  systems,  potentially  compromising  the  strength  of  the  username-password 
authentication. 

These  results  support  the  evaluation  and  confirmation  of  the  utility  of  a  representative  biometric 
technology  for  IT  access  control  and  access  to  e-Govemment  services,  supporting  the  primary 
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SOW  objective.  However,  further  study  on  a  larger  scale  with  a  larger  and  more  diverse  subject 
population  is  recommended  to  strengthen  the  conclusions. 

Significance  and  Future  Plans:  The  Study  concludes  that,  when  deploying  authentication 
systems  for  IT  network  access,  it  is  important  that  organizations  examine  biometrics  as  a  valid 
method  of  authentication,  in  addition  to  more  traditional  methods.  IT  security  professionals  may 
have  the  “pre-programmed”  mindset  to  utilize  usernames  and  passwords  as  a  method  of 
authentication,  because  of  widespread  use,  ease  of  implementation,  and  comparatively  low  costs 
of  implementation.  Unfortunately,  username-password  may  not  be  the  most  secure  form  of 
authentication  due  to  mature  tools  used  by  attackers  to  exploit  password  vulnerabilities  such  as 
Trojan  horses  and  key-loggers. 

The  deliverables  of  the  Study  facilitate  the  assessment  of  potential  biometric  authentication 
solutions  across  the  Personnel  Research  and  Development  and  Operations  Research; 
Infrastructure  and  Organization;  Concept,  Doctrine  and  Collective  Training;  Information 
Management;  and  Equipment,  Supplies  and  Services  (PRICIE)  spectrum,  by  identifying  gaps  in 
existing  security  evaluation  methodologies  and  synthesizing  a  best-of-breed  evaluation 
framework  that  incoiporates  privacy  issues.  Study  results  will  inform  IT  security  and  privacy 
policy  development,  and  facilitate  deployment  of  biometric  technologies  as  standalone 
authentication  methods  and  in  conjunction  with  other  mechanisms  for  multi-factor  authentication 
systems. 

This  impact  is  expected  to  include  the  security  and  privacy  of  practitioner  and  beneficiary  access 
to  electronic  health  information  through  systems  such  as  Canadian  Forces  Health  Information 
System  (CFHIS),  using  biometrics  alone  or  in  conjunction  with  authentication  mechanisms  such 
as  electronic  versions  of  the  Canadian  Forces  ID,  Canadian  Forces  Health  Care  ID,  or  Canadian 
Forces  Military  Family  ID. 

In  addition  to  the  direct  results  of  the  evaluation,  the  test  methodology  and  plan  developed  in  the 
Study,  as  well  as  the  test  application  design,  can  be  used  to  conduct  the,  more  in-depth 
comparison. 
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2011. 

Contexte  et  objectives:  Le  Programme  technique  de  securite  publique  (PTSP)  de  Recherche  et 
developpement  pour  la  defense  Canada  (RDDC)  maintient  un  domaine  de  Surveillance, 
renseignement  et  interdiction  (SRI).  Dans  ce  domaine,  deux  priorites  d’investissement  ont  ete 
identifies  dans  la  communaute  des  praticiens  (CP)  en  biometrie  au  profit  de  la  securite  nationale 
dans  le  cadre  du  PTSP  Appel  a  propositions  2  en  Decembre  2009,  avec  le  premier  enonce,  «Le 
role  de  la  biometrie  dans  la  gestion  des  identites  pour  controle  d’acces  aux  systemes 
informatiques  »,  decrivant  revaluation  des  options  biometriques  dans  le  cadre  d’assurance  de 
Tidentite  en  ce  qui  conceme  les  systemes  informatiques,  y  compris  les  systemes  SCADA  et  des 
services  e-gouvemement,  et  des  tests  de  vulnerabilite  et  d’ analyse  de  la  relation  entre  la 
performance  du  systeme  et  la  force  de  securite  de  la  fonction.  En  Octobre  2010,  IBG-Canada  a 
obtenu  un  contrat,  PTSP-02-336BIOM,  pour  executer  une  etude  sur  ce  sujet.  Le  Centre  de  la 
securite  des  telecommunications  Canada  (CSTC)  a  servi  de  principal  ministere  federal  pour 
T  etude,  et  IBG-Canada  a  ete  le  candidat  principal.  Autres  Partenaires  de  T  etude  comprenaient: 
TAgence  des  services  frontaliers  du  Canada  (ASFC),  Affaires  etrangeres  et  Commerce 
international  Canada  (MAECI),  RDDC-Toronto,  le  Commissariat  a  la  protection  de  la  vie  privee 
du  Canada  (OPC),  la  Gendarmerie  royale  du  Canada  (GRC),  Transports  Canada,  U  de  T  /  IPSI, 
GenKey,  priv-ID,  et  Reboot  Communications. 

Les  agences  et  ministeres  du  gouvemement  du  Canada  ont  besoin  d’ information  sur  la 
performance,  les  vulnerabilites  et  l’efficacite  des  solutions  biometriques  pour  les  applications  de 
gestion  des  identites  pour  controle  d’acces,  y  compris  les  systemes  SCADA  et  des  services  e- 
gouvemement.  Les  documents  tels  que  ITSG-3 1  Guide  sur  l  ’authentification  des  utilisateurs  pour 
les  systemes  TI,  nonobstant,  peu  de  documents  d’orientation  considerent  la  biometrie  comme  une 
technique  d’authentification  robuste  autonome.  Les  cadres  devaluation  axee  sur  les  produits  sont 
couteux  et  fastidieux,  et  negligent  des  elements  humains  qui  peuvent  stimuler  la  performance,  de 
securite  et  les  vulnerabilites.  L’ amelioration  du  cadre  qui  integre  des  facteurs  biometriques  a  base 
ameliore  la  capacite  de  la  Communaute  de  praticiens  en  vue  de  concretiser  les  technologies 
biometriques. 

Par  consequent,  le  premier  objectif  de  l’etude  etait  d’evaluer  la  vulnerabilite  potentielle  et  l’utilite 
des  technologies  biometriques  pour  l’utilisation  dans  les  applications  informatiques  du 
gouvemement  du  systeme  de  controle  d’acces  et  de  services  e-gouvemement.  Cet  objectif 
adressee  Tobjectif  de  la  CP  en  biometrie  pour  evaluer,  analyser,  et  soutenir  les  implementations 
de  la  technologie  biometrique  qui  renforcent  les  capacites  nationales. 

Le  deuxieme  objectif  etait  d’ameliorer  la  capacite  des  organismes  gouvemementaux  canadiens 
pour  identifier  et  attenuer  les  failles  de  securite  et  les  risques  de  confidentialite,  et  de  preserver 
Tinteroperabilite  des  systemes  de  gestion  d’identite,  en  produisant  des  conseils  pour  les  decideurs 
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en  ce  qui  conceme  le  deployment  de  la  technologie  biometrique  comme  methode 
d’authentification  avec  un  seul  facteur. 

Cadre  de  developpement:  Tirant  parti  du  rapport  de  recherche  technique  du  CSTC  sur  la 
biometrie  pour  rauthentification  pour  les  architectures  d’entreprise  de  securite  ( Technical 
Research  Report  on  Biometrics  for  Authentication  for  Enterprise  Security  Architectures),  et  la 
contribution  de  l’CSTC,  OPC  et  d’autres  partenaires  federaux,  les  experts  en  technologie,  les 
chercheurs  et  les  analystes  de  l’equipe  d’etude  d’lBG  ont  fait  des  recherches  sur  l’utilite  de  la 
biometrie  contre  autres  methodes  d’authentification  telles  que  mots  de  passe  et  jetons 
cryptographiques. 

L’equipe  d’etude  a  mene  une  enquete  aupres  des  cadres  existants  pour  evaluation  des 
vulnerabilites  biometriques,  ainsi  que  des  documents  recents  politique  de  confidentialite, 
l’examen  des  cadres  devaluation  communs  d’informatique  et  identifier  les  lacunes.  Ces  cadres 
inclus:  Criteres  communs  pour  l’evaluation  du  supplement  biometrique  Methodologie  (BEM), 
ISO  /  IEC  19792  Cadre  de  la  securite  pour  revaluation  et  le  test  de  la  technologie  biometrique, 
et  CSTC  ITSG-3 1  Guide  sur  l  ’authentication  des  utilisateurs  pour  les  systemes  TI. 

L’equipe  d’etude  a  ensuite  synthetise  un  cadre  pratique  visant  aux  praticiens  de  la  securite 
informatique,  qui  peut  ne  pas  etre  familiers  avec  la  biometrie  comme  methode  d’authentification. 
Le  cadre  aidera  les  praticiens  et  les  decideurs  a  comprendre  et  evaluer  les  technologies 
biometriques  comme  une  methode  viable  pour  l’authentification. 

Analyses  d’etudes  de  cas:  Des  etudes  de  cas  ont  ete  menees  par  des  recherches  sur  des  systemes 
biometriques  operationnelles  deployees  dans  les  milieux  canadiens  et  intemationaux,  et  par  les 
decriant  en  termes  de  parametres  devaluation  examines  dans  les  cadres  existants  et  synthetises. 
Ces  descriptions  sont  des  exemples  de  deployments  reussis  de  la  biometrie  pour  des  applications 
qui  peuvent  etre  d’interet  pour  le  gouvemement  du  Canada. 

Evaluation  comparative:  Pour  l’evaluation  comparative,  l’equipe  d’etude  a  developpe  une 
methodologie  et  un  plan  d’essai  pour  comparer  directement  l’utilite  de  l’authentification 
biometrique  contre  l’authentification  mot  de  passe  avec  une  experimentation  utilisant  un  petit 
ensemble  de  sujets  de  test  et  d’essais.  L’equipe  d’etude  a  cree  un  logiciel  de  test  qui  simule 
l’experience  d’utilisateur  de  connexion  en  utilisant  un  systeme  representatif  d’empreintes 
digitales  biometriques  et  un  systeme  d’authentification  nom  d’utilisateur-mot  de  passe,  tout  en 
collectant  des  criteres  mesurables  telles  que: 

•  Si  l’acces  a  ete  accorde; 

•  Nombre  de  essais  avant  accedant  acces;  et 

•  Temps  pour  authentifier. 

Donnees  sur  mesures  supplementaires  telles  que  la  facilite  d’utilisation  et  l’acceptation  par  les 
utilisateurs  ont  ete  ramassees  par  un  sondage  mene  apres  les  essais.  A  la  fin  de  P evaluation,  les 
donnees  enregistrees  ont  ete  regroupees  et  analysees. 

Resultats  de  revaluation:  Resultats  de  l’evaluation:  Les  resultats  des  tests  ont  confirme  de  fa9on 
empirique  que  la  technologie  a  un  seul  facteur  biometrique  est  un  moyen  viable  et  acceptee  par 
l’utilisateur  d’authentification  pour  faeces  au  systeme  informatique  qui  est  au  moins  aussi  rapide 
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et  precis  que  les  methodes  de  nom  d’utilisateur-mot  de  passe.  Les  resultats  des  tests  ont 
egalement  suggere  que  la  performance  de  la  technologie  biometrique  peut  etre  meilleure  que  celle 
des  methodes  de  nom  d’utilisateur  /  mot  de  passe  en  termes  d’une  proportion  plus  elevee  de  essais 
d’acces  avec  succes  pour  tous  les  jours  ainsi  que  l’utilisation  intermittente. 

Les  resultats  des  essais  et  le  sondage  des  utilisateurs  ont  montre  qu’un  grand  nombre  de  sujets  de 
test  mis  par  ecrit  leurs  mots  de  passe,  ont  utilise  des  mots  de  passe  «faibles»  qui  ont  ete  plus 
faciles  a  memoriser,  et  /  ou  ont  utilise  le  meme  mot  de  passe  pour  plusieurs  systemes,  ce  qui 
pourrait  compromettre  la  resistance  du  nom  d’utilisateur  /  mot  de  passe  d’authentification. 

Ces  resultats  soutiennent  1’evaluation  et  la  confirmation  de  l’utilite  d’une  technologie  representant 
biometrique  pour  controle  d’acces  informatique  et  de  faeces  aux  services  e-gouvemement,  en 
soutenant  l’objectif  principal  de  l’enonce  des  travaux.  Cependant,  une  etude  plus  approfondie  sur 
une  plus  grande  echelle  avec  une  population  de  sujets  plus  nombreux  et  diversify  est 
recommande  pour  renforcer  les  conclusions. 

Importance  et  plans  pour  l’avenir:  L’etude  conclut  que,  lors  du  deployment  de  systemes 
d’authentification  pour  faeces  au  reseau  informatique,  il  est  important  que  les  organisations 
examinent  la  biometrie  comme  une  methode  valable  de  l’authentification,  en  plus  des  methodes 
plus  traditionnelles.  Les  professionnels  de  la  securite  informatique  peut  avoir  l’etat  d’ esprit 
« preprogramme »  d’utiliser  les  noms  d’utilisateur  et  mots  de  passe  en  tant  que  methode 
d’authentification,  a  cause  de  l’utilisation  etendue,  la  facilite  d’implementation,  et  les  couts 
d’implementation  relativement  faibles.  Malheureusement,  nom  d’utilisateur  /  mot  de  passe  ne 
peut  etre  la  forme  la  plus  sure  d’authentification  en  raison  d’outils  utilises  par  des  attaquants  afm 
d’exploiter  les  vulnerabilites  de  passe  tels  que  les  chevaux  de  Troie  et  les  enregistreurs  de 
touches. 

Les  livrables  de  l’etude  faciliter  l’evaluation  du  potentiel  des  solutions  d’authentification 
biometrique  dans  tout  le  spectre  « PRICIE »,  en  identifiant  les  ecarts  dans  les  methodes 
devaluation  de  securite  et  de  la  synthese  d’un  cadre  devaluation  meilleur-du-genre  qui  integre 
les  questions  de  la  vie  privee.  Les  resultats  de  l’etude  informeront  le  developpement  de  la 
politique  sur  la  securite  informatique  et  la  vie  privee,  et  faciliteront  le  deployment  des 
technologies  biometriques  comme  methodes  d’authentification  autonome  et  en  collaboration  avec 
d’autres  mecanismes  pour  les  systemes  d’authentification  multi-facteur. 

Cet  impact  devrait  inclure  la  securite  et  la  vie  privee  de  faeces  des  praticiens  et  des  beneficiaire  a 
l’information  de  sante  electronique  au  moyen  de  systemes  tels  que  le  Systeme  d’information  de 
sante  des  Forces  Canadiennes  (S1SFC),  en  utilisant  la  biometrie  seul  ou  en  conjonction  avec  des 
mecanismes  d’authentification  tels  que  des  versions  electroniques  de  la  piece  d’identite  des 
Forces  Canadiennes,  de  la  piece  d’identite  des  Forces  Canadiennes  de  soins  de  sante,  ou  de  la 
piece  d’identite  des  Forces  Canadiennes  aux  families  des  militaires. 

Outre  les  resultats  directs  de  1’evaluation,  la  methodologie  et  le  plan  d’essai  developpes  dans 
l’etude,  ainsi  que  le  plan  du  logiciel  de  test,  peut  etre  utilise  pour  effectuer  la  comparaison,  plus 
en  profondeur. 
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1  Introduction 


This  Final  Report  for  the  PSTP-02-336B1OM  “Assessing  Vulnerability  of  Biometric 
Technologies  for  Identity  Management  Applications”  Study  describes  the  purpose,  methodology, 
results,  transition  and  exploitation  activities,  and  conclusions  of  the  activities  conducted  during 
the  Study.  Accompanying  it  as  separate  deliverables  are: 

1.  Deliverable  A:  An  analysis  of  existing  biometrics  guidance  for  the  IT  community 

2.  Deliverable  B:  An  comparative  analysis  of  biometrics  vs.  passwords,  including  a  test 
methodology  and  plan  for  conducting  a  practical  evaluation  to  compare  the  utility  of 
biometrics  vs.  passwords,  as  well  as  test  results  and  analysis 

3.  Deliverable  C:  A  guidance  document  on  the  implementation  of  biometric  systems  aimed  at  IT 
practitioners  that  incorporates  a  usable  framework  for  addressing  biometric  vulnerabilities 
and  other  deployment  factors,  and  case  study  examples  of  real-world  deployments  of  IT 
System  Access  applications 

The  research  conducted  during  this  Study  aimed  to  develop  a  guide  for  IT  security  practitioners, 
who  may  not  be  familiar  with  biometrics  as  an  authentication  method,  with  the  intent  of 
addressing  the  growing  use  of  biometrics  in  government  applications  and  the  implications  that  it 
has  on  information  technology  (IT)  systems  security.  The  Study  deliverables  include:  (1)  analysis 
of  existing  security  management  techniques,  (2)  development  of  a  biometric  evaluation 
framework  with  relevant  case  studies,  and  (3)  comparative  results  of  an  evaluation  of  biometric 
and  password  security  efficacy. 

When  attempting  to  compromise  an  IT  system,  attackers  will  generally  pursue  the  easiest  point  of 
attack  of  a  particular  system.  In  many  cases,  this  is  the  point  at  which  the  username  and  password 
are  captured  from  the  user.  Mature  tools  such  as  Trojan  horses  and  key-loggers  that  exist  in  an 
attacker’s  arsenal  facilitate  the  collection  of  passwords. 

At  the  same  time,  IT  deployers  may  have  the  “pre-programmed”  mindset  to  utilize  usernames  and 
passwords  as  a  method  of  authentication,  due  to  widespread  use,  ease  of  implementation,  and 
comparatively  low  costs  of  implementation.  Unfortunately,  username-password  may  not  be  the 
most  secure  form  of  authentication.  Thus,  when  deploying  IT  systems  for  IT  network  access,  it  is 
important  that  organizations  examine  other  valid  forms  of  authentication  such  as  biometrics. 

Biometrics  has  long  been  used  as  a  method  for  authenticating  people  for  the  purposes  of  verifying 
identity  and  identification.  Biometric  use  in  the  Federal  Government  can  and  is  used  in  physical 
and  logical  access  applications  for  the  purposes  of  improving  authentication  security  and  ease  of 
use,  reducing  administrative  costs,  and  providing  non-repudiation.  Government  projects  exist  that 
are  currently  using  biometrics,  such  as  the  Canadian  Air  Transport  Security  Authority’s  (CATSA) 
Restricted  Area  Identification  Card  (RAIC),  as  well  as  those  that  could  potentially  use  biometrics 
in  the  future,  such  as  Canadian  Forces  Health  Information  System  (CFHIS).  These  applications 
utilize  biometrics  as  a  method  of  authentication  for  applications  such  as  SCADA  systems  and  e- 
Govemment  services. 
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The  highest-visibility  application  of  biometrics  in  national  government  applications  is  arguably  in 
Civil  Identification  (ID)  applications  such  as  international  travel  applications  including  passport 
issuance  and  border  management,  in  addition  to  applications  such  as  national  ID  programs  in 
certain  nations.  Further  government  use  of  biometrics  include  employee-facing  applications  in 
authentication  for  IT  System  Access,  particularly  network  login,  and  Access  Control  / 
Attendance,  often  in  conjunction  with  smartcard-based  employee  ID  programs.  These  common 
government  applications  are  described  in  more  detail  in  the  Study  deliverables,  along  with  case 
studies  highlighting  current  biometric  implementations  in  government  settings. 

It  is  important  for  all  organizations,  including  government  agencies,  to  evaluate  and  select 
technology  products  and  services  that  maintain  and  improve  overall  IT  security  and  enterprise 
architecture.  The  systematic  management  of  IT  security  processes  is  critically  important.  Failure 
to  consider  the  many  issues  involved  and  to  manage  the  risks  can  seriously  impact  the 
organization.  The  framework  developed  during  the  Study  aims  to  bridge  evident  gaps  in  the 
evaluation  of  biometric  technologies  under  recognized  evaluation  criteria,  such  as  the  Common 
Criteria,  and  will  benefit  departmental  security  authorities,  IT  project  managers,  IT 
administrators,  security  practitioners,  and  evaluators  in  assessing  the  appropriateness  of 
implementing  biometric  technologies  in  a  government  setting,  thereby  addressing  the  Study 
Objectives  to: 

•  Evaluate  the  potential  vulnerability  and  utility  of  various  biometric  technologies  for 
Government  use  in  IT  system  access  control  applications  (including  SCADA  systems)  and 
e-Govemment  services;  and 

•  Improve  the  ability  of  Canadian  Government  Agencies  to  identify  and  mitigate  security 
vulnerabilities,  properly  contemplate  /  mitigate  privacy  risks,  and  preserve  interoperability. 

This  Study  addresses  the  following: 

1.  Reviews  general  information  security  mechanisms  and  the  related  managerial  and 
administrative  issues  necessary  to  ensure  confidence  in  IT  security 

2.  Reviews  general  security  functionality  and  assurance  requirements  of  IT  systems  and  relevant 
evaluation  criteria 

3.  Addresses  the  main  functionality  and  utility  factors  that  should  be  considered  in  a  biometric 
technology  evaluation 

4.  Compares  the  utility  factors  of  biometric  technologies  to  traditional  security  mechanisms 

5.  Identifies  gaps  in  current  IT  security  frameworks  for  the  evaluation  of  biometric  technologies 

6.  Provides  a  high-level  framework  for  assessing  the  suitability,  limitations,  and  vulnerabilities 
of  biometric  technologies 

7.  Discusses  privacy  issues  of  biometric  implementations 

8.  Details  common  government  applications  of  biometric  technologies  and  provides  government 
biometric  case  studies 
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In  order  to  account  for  elements  that  are  constantly  in  flux  with  the  improvement  of  technology 
and  streamline  the  focus  of  this  Study,  the  framework  does  not: 

1 .  Summarize  the  current  state  of  biometrics  technology  or  act  as  a  market  report 

2.  Provide  specific  recommendations  on  biometric  devices  and/or  modalities 
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2  Purpose 


The  first  objective  of  the  project  was  to  evaluate  the  potential  vulnerability  and  utility  of 
biometric  technologies  for  Government  use  in  IT  system  access  control  applications  and  e- 
Govemment  services.  This  objective  addressed  the  Biometric  community  of  practice’s  goal  to 
evaluate,  analyze,  and  support  biometric  technology  implementations  that  enhance  national 
capabilities. 

The  second  objective  was  to  improve  the  ability  of  Canadian  Government  Agencies  to  identify 
and  mitigate  security  vulnerabilities  and  privacy  risks,  and  preserve  interoperability  in  ID 
management  systems,  by  producing  information  for  decision-makers  with  respect  to  deploying 
biometric  technology  as  a  method  for  authentication. 

The  Study  addressed  the  investment  category  by  synthesizing  a  usable  framework  for  evaluating 
vulnerabilities  in  biometric  technology  options  for  IT  system  access  control  applications  and  e- 
Govemment  services.  By  incorporating  existing  frameworks  and  policy  documents,  this 
framework  provides  straightforward  guidance  for  decision-makers  deploying  authentication  and 
identity  management  solutions.  The  framework  addresses  technical  considerations  such  as 
vulnerabilities  and  interoperability,  as  well  as  additional  deployment  factors  such  as  cost, 
usability,  and  privacy  impact. 

The  Study  included  an  attempt  to  directly  compare  the  utility  of  biometrics  and  traditional  means 
of  single-factor  authentication  by  executing  a  small-scale  evaluation  of  fingerprint  biometrics  vs. 
passwords  for  desktop  application  login. 

This  Study  generated  and  organized  knowledge  in  the  form  of  analyses  and  guidance,  which  are 
encapsulated  in  the  Study  deliverables.  This  knowledge  can  be  used  to  develop  policy  and 
guidance  to  encourage  IT  security  practitioners  to  utilize  biometric  technology  as  a  form  or 
authentication. 
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3  Methodology 


The  Project  team  studied  surveyed  and  analyzed  existing  reports,  guidance,  frameworks  and 
analyses  related  to  the  deployment  of  biometric  systems  for  IT  network  access  applications  and 
generated  three  knowledge-based  deliverables: 

•  An  analysis  of  existing  biometrics  guidance  for  the  IT  community; 

•  An  analysis  comparing  biometrics  to  passwords  as  authentication  mechanisms,  including  an 
experimental  test  to  compare  utility;  and 

•  Guidance  on  the  use  of  biometrics  in  network  authentication,  aimed  at  IT  security 
practitioners. 

3.1  Analysis  of  Existing  Biometrics  Guidance  and  Reports 

The  project  team  compiled  a  list  of  existing  technical  reports,  guidance,  policy,  standards  and 
other  documents  relating  to  the  use  of  biometrics  as  an  authentication  method  for  IT  network 
access.  The  team  also  reviewed  documents  relating  to  legal,  ethical,  cultural  and  privacy  issues 
related  to  deployment.  Table  1  lists  some  of  the  various  documents  reviewed. 

Table  1:  Source  Documents  for  Analysis  of  Existing  Guidance  and  Reports 


Title 

Organization 

Date 

Biometric  Technology  Security  Evaluation  Under  the 
Common  Criteriaf  1  ] 

CSEC 

September 

2001 

Biometric  Application  to  Government  Services 
Report[2] 

CSEC 

October  27, 
2003 

CSE148  DID:CSE03  Government  of  Canada 

Biometrics  Business  Requirements  Report[3] 

CSEC 

March  9, 

2004 

CSE149  DID:CSE03  Government  of  Canada 
Identification  and  Authentication  Framework  for 
Biometric  Enabled  Applications^] 

CSEC 

March  9, 

2004 

Government  of  Canada  Biometrics  Business  Case 
Framework!5] 

CSEC 

February  9, 
2005 

BSI-PP-0016  Common  Criteria  Protection  Profile  for 
Biometric  Verification  Mechanisms[6] 

Budesamt  fur  Sicherheit  in  der 
Informationstechnik 

August  17, 
2005 

NIST  SP  800-63  Electronic  Authentication 

Guideline[7] 

NIST  Information  Technology 
Laboratory  (ITL) 

April  2006 

INCITS  Ml/07-0185rev  Study  Report  on  Biometrics 
in  E-Authentication[8] 

INCITS  Ml. 4  Ad  Hoc  Group  on 
Biometric  in  E-Authentication 

March  30, 
2007 

Harmonized  Threat  and  Risk  Assessment  (TRA) 
Methodology!  91 

CSEC  &  RCMP 

October  23, 
2007 

ITSG-31  User  Authentication  Guidance  for  IT 

Systems!  10] 

CSEC 

March  2009 

ISO/IEC  19792:2009  Security  Evaluation  of 
Biometrics!  1 1] 

ISO/IEC  JTC1  SC  27 

August  1, 

2009 

NIST  SP  800-53  Recommended  Security  Controls!  12] 

NIST  ITL 

August  2009 

Technical  Research  Report  on  Biometrics  for 

CSEC 

March  2010 
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Authentication  for  Enterprise  Security 

Architectures!  13] 

ITSG-3  0  Introduction  to  Guidelines  for  Information 
Technology  Security  in  the  Government  of  Canada 
(Draft  7)[14] 

CSEC 

December 

2010 

ITSG-33  Guide  to  Managing  Security  Risks  (Draft 
5)115] 

CSEC 

December 

2010 

ISO/IEC  Proposed  Draft  Technical  Report  (PDTR) 
29156  Guidance  for  specifying  performance  (Draft 
Technical  Report))  16] 

ISO/IEC  JTC1  SC  37 

February 

2011 

Data  at  Your  Fingertips:  Biometrics  and  the 

Challenges  to  Privacy)  17] 

OPC 

February  16, 
2011 

The  Study  found  that  while  some  documents  such  as  the  International  Committee  for  Information 
Technology  Standards  (INCITS)  Ml/07-0 185rev  Study  Report  on  Biometrics  in  E- 
Authentication[S\  had  already  explored  the  role  for  biometric  authentication  at  different  assurance 
levels,  as  well  as  the  benefits,  challenges  and  threats  that  accompany  the  use  of  biometric 
authentication  and  countermeasures,  better  guidance  was  needed  on  the  use  of  biometrics  as  a 
replacement  for  passwords  in  authentication  in  a  Canadian  context.  Findings  of  note  included  that 
the  INCITS  Ml  report  also  provides  recommended  edits  from  a  biometric  practitioner  perspective 
to  National  Institute  of  Standards  and  Technology  (NIST)  Special  Publication  (SP)  800-63 
Electronic  Authentication  Guideline [7],  the  U.S.  guidance  document  that  discusses  the  use  of 
biometrics  in  IT  network  authentication,  and  which  is  one  of  the  key  references  for  ITSG-3 1  User 
Authentication  Guidance  for  IT  Svstems[\0\,  however,  these  recommended  edits  have  not  been 
implemented  by  NIST. 

The  analysis  of  existing  guidance  and  reports  can  be  found  in  Deliverable  A. 

3.2  Analysis  comparing  Biometrics  to  Passwords 

Using  the  review  of  existing  biometrics  guidance  and  reports,  the  Study  team  conducted  a 
comparison  of  biometrics  and  passwords  as  authentication  mechanisms  for  IT  access  control.  The 
team  produced  a  report,  found  in  Deliverable  B,  describing  the  different  types  of  vulnerabilities  in 
a  diagram  of  an  authentication  system,  and  described  the  vulnerabilities  specific  to  biometrics  and 
passwords. 

Additionally,  the  team  developed  a  test  methodology  and  plan  for  a  small-scale  evaluation  to 
compare  the  utility  of  biometric  authentication  to  password  authentication.  The  project  team  built 
a  test  platform  that  simulates  the  user  login  experience  using  a  representative  fingerprint 
biometric  system  and  a  username-password  authentication  system,  while  collecting  measurable 
criteria  such  as: 

•  Whether  access  was  granted; 

•  Number  of  attempts  before  gaining  access;  and 

•  Time  to  authenticate. 
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Data  on  additional  metrics  such  as  ease-of-use  and  user  acceptance  were  collected  using  a  user 
survey  conducted  after  the  test  trials.  At  the  end  of  the  evaluation,  the  recorded  data  was 
aggregated  and  analyzed. 

The  test  results  confirmed  experimentally  that  single-factor  biometric  technology  is  a  viable  and 
user-accepted  means  of  authentication  for  IT  system  access  that  is  at  least  as  fast  and  accurate  as 
username-password  methods.  The  test  results  also  suggested  that  the  performance  of  the 
biometric  technology  may  be  better  than  that  of  username-password  methods  in  terms  of  a  higher 
proportion  of  successful  access  attempts  for  daily  as  well  as  intermittent  use. 

The  test  results  and  user  survey  showed  that  a  large  number  of  Test  Subjects  wrote  down  their 
passwords,  used  “weak”  passwords  that  were  easier  to  remember,  and/or  used  the  same  password 
for  multiple  systems,  potentially  compromising  the  strength  of  the  username-password 
authentication. 

These  results  support  the  comparative  analysis,  confirming  the  utility  of  a  representative 
biometric  technology  for  IT  access  control  and  access  to  e-Govemment  services,  and  supporting 
the  primary  SOW  objective.  The  results  also  suggest  that  decisions  to  utilize  usernames  and 
passwords  as  an  authentication  method  should  be  revisited  as  they  may  not  be  as  secure  in 
practice  as  they  are  assumed  to  be  in  theory.  However,  further  study  on  a  larger  scale  with  a 
larger  and  more  diverse  subject  population  is  recommended  to  strengthen  the  conclusions. 

The  analysis  comparing  biometrics  to  passwords  as  authentication  mechanisms  and  the  test  report 
can  be  found  in  Deliverable  B. 

3.3  Guidance  Aimed  at  IT  Security  Practitioners 

In  consideration  of  the  information  security,  guidance,  and  biometric-specific  information 
presented,  the  Study  team  drew  upon  the  aforementioned  analyses  to  develop  a  Biometric 
Vulnerability  Evaluation  Framework  (BVEF).  This  multi-level  approach  is  intended  to  support 
vulnerability  assessments  of  biometrics  as  a  general  solution,  in  the  development  of  security 
requirements,  in  the  assurance  of  specific  implementations,  and  during  any  follow-on 
assessments. 

The  Study  team  identified  gaps  in  existing  guidance  and  frameworks,  and,  building  upon  the 
CSEC/RCMP  Harmonized  Threat  and  Risk  Assessment  (TRA)  Methodology >  [9],  added  metrics 
relating  to  privacy  and  cost  issues. 

It  is  important  to  note  that  the  guidance  developed  during  this  Study  is  not  yet  an  Information 
Technology  Security  Guidance/Guideline  (ITSG)  document,  but  simply  information  that  would 
feed  into  an  official  ITSG  document. 

The  guidance  on  the  use  of  biometrics  in  network  authentication  can  be  found  in  Deliverable  C. 


DRDC  CSS  CR  2011-19 


7 


4  Results 


4.1  Impact  and  Relevance 

The  project  outputs,  including  the  biometric  vulnerabilities  framework,  will  facilitate  the 
assessment  of  potential  biometric  authentication  solutions,  feeding  into  new  guidance  that 
addresses  gaps  with  respect  to  the  use  of  biometrics  as  an  authentication  mechanism  in  Canada. 

Study  results  will  inform  IT  security  and  privacy  policy  development,  and  facilitate  deployment 
of  biometric  technologies  as  standalone  authentication  methods  and  in  conjunction  with  other 
mechanisms  for  multi-factor  authentication  systems. 

Results  from  the  comparative  evaluation  portion  of  the  project  will  serve  as  a  baseline  of  data 
regarding  a  direct  comparison  of  the  utility  and  usability  of  biometrics  vs.  passwords  using 
experimental  research  trials,  opening  the  door  for  more  comprehensive  evaluation  scenarios 
beyond  the  scope  of  the  Study. 

4.2  Lessons  Learned  and  Implementation  of  Lessons  Learned 

Study  research  showed  that,  while  frameworks  describing  biometric  vulnerabilities  already  exist, 
they  are  not  optimized  for  use  by  IT  security  practitioners.  There  is  a  disconnect  between  existing 
frameworks  and  IT  security  practitioners  in  that  much  of  the  existing  literature  is  written  by 
members  of  the  biometric  community  of  practice  (CoP)  for  use  within  that  community  or  are 
written  with  an  academic  audience  in  mind,  instead  of  an  audience  of  deployers  of  authentication 
systems,  who  may  be  more  familiar  with  IT  security  terminology  and  concepts.  At  the  same  time, 
other  frameworks  written  from  a  traditional  IT  security  point  of  view  fail  to  account  for  the  non- 
deterministic  nature  of  biometric  authentication  and  the  unique  aspects  and  issues  of  biometric 
technology  such  as  privacy  concerns.  Thus,  a  gap  exists  between  available  frameworks  and  their 
potential  audience. 

Likewise,  guidance  for  biometrics  use  in  Canada,  such  as  ITSG-31  User  Authentication  Guidance 
for  IT  Systems,  already  exists;  however,  in  the  case  of  ITSG-31,  assertions  made  in  the  document 
are  not  clearly  attributed  to  science-based  metrics  or  are  based  on  U.S.  guidelines,  which  may  not 
be  appropriate  to  Canadian  applications. 

The  framework  and  guidance  developed  during  this  Study  attempted  to  address  these  gaps. 

4.3  New  capabilities,  partners  and  networks 

The  framework  represents  an  improvement  in  capabilities  by  providing  a  usable  tool  for  IT 
practitioners  to  use  when  evaluating  whether  or  not  to  deploy  biometrics  as  an  authentication 
method  for  IT  network  security  applications.  The  Study  also  aimed  to  forge  stronger  connections 
between  IT  security  and  privacy  advocates,  to  discuss  issues  of  mutual  concern  from  different 
points  of  view. 
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5  Transition  and  Exploitation 


5.1  Transition  to  End  Users 

In  order  to  transition  the  results  of  the  Study  to  end  users,  the  guidance  developed  during  the 
Study  could  be  incorporated  into  a  CSEC  ITSG  document.  CSEC  has  responsibility  within  the 
Government  of  Canada  to  produce  guidance  on  IT  security.  Thus,  creating  an  ITSG  document 
creates  an  official  reference  for  potential  Canadian  deployers  of  biometric  technology. 
Additionally,  guidance  surrounding  privacy  could  be  incorporated  into  OPC  policy.  Both  these 
avenues  would  help  disseminate  information  to  the  IT  security  practitioner  community.  Active 
follow-up  to  educate  practitioners  could  include  workshops  and  presentations  at  industry 
conferences. 

5.2  Follow-On  R&D  Recommended 

The  Study  team  recommends  expanding  upon  the  biometrics  vs.  passwords  test  plan  and 
methodology  developed  during  the  Study  to  collect  additional  empirical  and  anecdotal  data 
comparing  biometrics  against  passwords  and  other  forms  of  authentication.  The  biometrics  vs. 
passwords  comparative  test  methodology  developed  during  the  Study  is  scalable  to  a  larger  test 
involving  more  complex  variables  over  a  longer  period  of  time.  Ways  to  expand  the  test  include: 

•  Evaluating  additional  biometric  modalities; 

•  Varying  different  independent  variables; 

•  Using  a  larger  and  more  diverse  group  of  test  subjects; 

•  Evaluating  multi-factor  authentication;  and 

•  Conducting  a  comparison  vs.  other  types  of  authentication  besides  passwords. 

Additionally,  an  even  more  comprehensive  framework  for  evaluation  the  use  of  biometrics  in  IT 
network  access  applications  could  be  developed.  This  framework  would  incorporate  checklists 
and  decision  matrices  for  evaluating  deployments  of  biometrics  in  more  specific  access  control 
scenarios. 
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6  Conclusion 


6.1  Strategic  Planning  Advice 

The  Strategic  Planning  Advice  /  Advisory  Note  provides  a  concise  strategic  perspective  on  the 
project  to  clearly  position  its  role  in  the  overall  public  security  S&T  programs  and  proposes  the 
strategy  for  maximizing  its  success.  This  particular  Study  addresses  the  Surveillance,  Intelligence 
and  Interdiction  (SI2)  domain  need  to  develop  capabilities  to  “monitor  the  security  environment, 
understand  the  threats  to  national  security,  and  direct  an  effective  and  proportionate  response  to 
deter,  disrupt  and  stop  terrorists  and  other  criminals”  by  attempting  to  facilitate  increased  use  of 
biometrics  for  authentication  in  IT  network  access,  thereby  deterring  and  disrupting  terrorists  and 
other  criminals  in  the  cyber  environment.  The  Study  attempted  to  facilitate  increased  use  of 
biometrics  by  developing  a  reusable  analysis  capability  that  could  be  used  by  IT  security 
deployers  to  evaluate  the  suitability  of  biometric  technologies  for  their  particular  authentication 
needs. 

The  Strategic  Planning  Advice  was  originally  presented  during  the  Interim  Progress  Report 
meeting.  The  final  Strategic  Planning  Advice  is  enclosed  as  a  set  of  presentation  slides. 

6.2  Capability  Road  Map 

The  Capability  Road  Map  provides  a  time-sequenced  and  holistic  view  of  the  key  “capability 
inputs  or  issues”  needed  to  be  addressed  in  order  to  ensure  the  success  of  the  project  and  its 
overarching  goals.  The  Capability  Road  Map  intentionally  includes  elements  that  are  out-of-scope 
for  the  project,  and  identifies  key  activities  (capability  changes)  that  are  required  to  adjust  the 
current  (as-is)  capability  with  its  associated  people,  processes,  and  tools  to  cause  it  to  change 
incrementally  towards  a  new  (to-be)  enhanced  capability  in  the  future. 

6.2.1  PRICIE  Framework 

Based  on  direction  provided  in  the  Public  Security  Technical  Program  Call  No.  2  Proposal 
Guidebook  2009-2010,  the  Capability  Road  Map  builds  on  capability  considerations  specified  in 
the  PRICIE  Framework,  whose  elements  are  as  follows: 

•  (P)ersonnel  -  Human  resources  required  to  complete  Canada’s  Department  of  National 
Defence  (DND)  assigned  missions  and  tasks 

•  (R)esearch  &  Development  (R&D)/Operations  Research  (O.R.)  -  R&D  are  endeavours  to 
increase  the  knowledge  of  natural  phenomena,  the  environment  and  technological  resources, 
O.R.  is  the  scientific  field  of  the  collation  of  information,  the  transformation  of  information 
into  knowledge,  and  the  provision  of  knowledge  to  decision  making 

•  (I)nffastructure  &  Organization  -  Relation  of  an  organization’s  size,  composition  and 
process  to  its  infrastructure  requirements  and  specifications 

•  (C)oncepts,  Doctrine  &  Collective  Training  -  Development  of  ideas  and  goals  followed  by 
the  fundamental  principles  by  which  the  military  guide  their  actions  in  support  of  objectives. 
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Collective  training  involves  the  development  of  units  and  formations  to  generate  combat 
power  including  lessons  learned 

•  (I)T  Infrastructure  -  Orchestrates  the  computing,  communication,  and  information  systems 
critical  to  the  rapid  development  and  dissemination  of  knowledge 

•  (E)quipment  Supplies  and  Services  -  Furnishing  and  maintenance  of  non-expendable  items 
needed  to  outfit  and  individual  or  organization  to  accomplish  assigned  missions  or  tasks 

The  PRICIE  Framework  is  intended  for  analysis  of  cost  models  for  developmental  systems  as 
opposed  to  research  initiatives.  As  such,  certain  elements  of  the  Framework  are  not  readily 
applicable  to  the  current  Study.  Nonetheless,  the  Capability  Road  Map  attempts  to  incorporate 
key  capability  inputs  across  each  PRICIE  area. 

6.2.2  Capability  Road  Map  Chart 

Figure  1  depicts  a  Gantt  chart-like  schedule  that  shows  the  activities  executed  during  the  project 
and  potential  future  elements  for  that  are  out-of-scope  for  the  project  to  reach  the  Study  objectives 
of:  (1)  evaluating  the  potential  vulnerability  and  utility  of  biometric  technologies  for  Government 
use  in  IT  system  access  control  applications,  and  (2)  improving  the  ability  of  Canadian 
Government  Agencies  to  identify  and  mitigate  security  vulnerabilities  and  privacy  risks,  by 
producing  information  for  decision-makers  with  respect  to  deploying  biometric  technology  for 
authentication.  Future  activities  are  listed  under  “Post-Study  Activities”.  Note  that  specific 
notional  tasks  and  dates  listed  in  the  schedule  are  for  illustrative  purposes  only,  and  should  be 
superseded  by  the  actual  defined  tasks  in  official  processes  such  as  standards  development 
processes.  Additionally,  all  potential  tasks  have  been  listed  as  starting  immediately  following  the 
Study,  which  may  not  be  realistic  or  feasible,  and  finite  periods  have  been  used  for  some  ongoing 
tasks  which  should  continue  indefinitely. 
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Figure  1:  Capability  Road  Map 

In  terms  of  this  Study,  the  biometric  technology  for  authenticating  users  in  access  control 
applications  already  exists  at  a  mature,  deployable  Technology  Readiness  Level  (TRL).  What  is 
lacking  is  clear  guidance  for  deployers,  which  would  provide  them  with  the  confidence  and 
justification  to  deploy  it  for  us  in  government  authentication  applications,  thereby  helping  to 
combat  cyber-attacks.  Thus,  one  of  the  goals  was  to  develop  a  reusable  analysis  capability,  which 
can  be  further  extended  to  include  more  in-depth  risk  assessment  templates,  adding  factors  such 
as  the  cost  of  remediation. 
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6.2.3  Current  (as-is)  Capability 


Biometric  technology  is  currently  a  mature  authentication  technology,  offering  several  modalities 
suitable  for  use  in  network  authentication.  Examples  of  large  government  programs  utilizing 
biometric  technology  for  authentication  exist  such  as  the  CATSA  RAIC  implementation; 
however,  a  deficiency  in  available  guidance  and  education  aimed  at  the  IT  security  community 
regarding  use,  especially  use  in  Canada,  has  prevented  widespread  deployment.  Analysis 
conducted  during  the  review  of  existing  documents,  indicated  that  the  main  challenges  and  gaps 
toward  implementation  included: 

1.  A  deficiency  in  comprehensive,  qualified  science-based  guidance  on  use  of  biometrics  in 
authentication  systems; 

2.  A  deficiency  of  straightforward  guidance  aimed  at  IT  security  practitioners  and  decision¬ 
makers;  and 

3.  An  absence  of  active  efforts  aimed  at  educating  IT  security  practitioners  regarding  biometric 
authentication. 

6.2.4  New  (to-be)  Enhanced  Capability 

One  of  the  objectives  of  the  Study  was  to  help  promote  the  use  of  biometric  technologies  for 
network  authentication  amongst  IT  security  practitioners  through  the  development  of  a  reusable 
analysis  capability.  Proposed  next  steps  for  CSEC  would  contribute  to  developing  this  reusable 
analysis  capability  using  the  Study  framework  by: 

•  Expanding  the  comparative  evaluation  to  collect  more  empirical  and  anecdotal  data 
comparing  biometrics  against  passwords  and  other  forms  of  authentication.  The  biometrics 
vs.  passwords  comparative  test  methodology  developed  during  the  Study  is  scalable  to  a 
larger  test  involving  more  complex  variables  over  a  longer  period  of  time.  Ways  to  expand 
the  test  include: 

♦  Using  additional  biometric  modalities  commonly  used  for  access  control  (e.g.,  iris, 
vein/vascular); 

♦  Varying  different  independent  variables  (e.g.,  frequency  of  required  password 
changes); 

♦  Using  a  larger  and  more  diverse  group  of  test  subjects  representing  a  larger  segment 
of  the  population  (e.g.,  non-acclimated  users,  broader  age-range); 

♦  Evaluating  multi-factor  authentication;  and 

♦  Conducting  a  comparison  vs.  other  types  of  authentication  (e.g.,  cryptographic 
tokens). 

•  Developing  a  more  comprehensive  framework  that  incorporates: 
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♦  Checklists  and  other  tools  for  evaluating  deployments  of  biometrics  in  more  specific 
access  control  scenarios;  and 

♦  Additional  deployment  factors. 

•  Educating  stakeholders,  decision-makers,  deployers  and  users  to  obtain  buy-in  on  the  use  of 
the  framework  by: 

♦  Developing  training  materials  aimed  at  IT  security  practitioners;  and 

♦  Holding  workshops  for  IT  security  practitioners. 

•  Utilizing  the  ITSG  development  process  to  create  more  comprehensive,  actionable  guidance 

Other  next  steps  could  include: 

•  Developing  biometric  application  profile  standards  tailored  for  Canadian  use;  biometric 
application  profiles  are  currently  being  developed  at  the  international  level,  and  exist  at  the 
U.S.  national  level. 

•  Developing  and  maintaining  a  registry  of  Canadian  Government  recommended  biometric 
standards,  similar  to  the  U.S.  Government’s  registry. 

6.2.5  Key  Activities  for  Effecting  Capability  Changes 

Challenges  exist  toward  increasing  the  use  of  biometric  technologies  for  authentication.  These 
include: 

•  The  need  to  change  the  IT  security/cryptography  mindset  that  non-deterministic  means  of 
authentication  are  less  secure.  At  the  same  time,  it  is  important  to  note  that  since  the  Ability 
to  Verify  (ATV),  which  measures  the  degree  to  which  users  can  authenticate  in  a  particular 
system,  can  never  be  100%,  deployers  must  keep  in  mind  that  an  alternative  method  must 
also  be  deployed. 

•  Deficiencies  in  official  guidance  and  education  for  deployers  regarding  advantages  of 
biometric  authentication  such  as  authenticating  the  presence  of  actual  users  and  negative 
recognition  (de-duplication). 

•  Since  biometric  systems  often  require  a  specialized  capture  device,  an  increase  in  initial 
start-up  costs  and  ongoing  maintenance  costs  is  another  potential  barrier  to  deployment. 

•  Privacy  concerns,  interoperability,  start-up  costs  and  perceived  complexity  issues  continue 
to  be  barriers  to  adoption. 

Competitive  approaches  to  authentication  equally  have  drivers  and  challenges.  There  have  not 
been  many  recent  technology  developments  that  have  improved  password  authentication  systems, 
although  social  engineering  vulnerabilities  are  becoming  more  well-known  and  therefore 
addressable  through  user  education.  Stronger  encryption  techniques  and  the  use  of  salt  can  be 
used  to  protect  passwords  from  certain  attacks. 

Data  collected  as  part  of  the  user  survey  after  the  biometrics  vs.  passwords  comparative 
evaluation  performed  during  the  Study  indicated  that  overall  security  does  not  necessarily 
increase  with  password  strength,  enforced  by  restrictive  password  rules,  since  “stronger” 
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passwords  may  be  more  difficult  to  remember,  leading  to  users  writing  down  passwords,  or 
choosing  passwords  that  may  meet  restrictive  rules,  but  are  nonetheless  trivial. 

Advances  in  computing  power  and  decreases  in  storage  cost  have  made  rainbow  tables  and  other 
password  cracking  tools  and  techniques  easier  to  apply,  decreasing  the  overall  security  of 
passwords. 

6.2.6  People,  Processes  and  Tools 

People,  processes  and  tools,  which  contribute  to  the  general  advancement  of  the  state-of-the-art  in 
biometric  technology,  include  challenge  problems,  government  requirements,  and  competitive 
evaluations  from  organizations  such  as  U.S.  NIST,  which  push  the  envelope,  and  introduce  new 
modalities.  For  example,  requirements  for  a  compact,  mobile  ten-print  capture  scanner  device, 
defined  by  a  consortium  of  U.S.  government  agencies  led  by  the  U.S.  Department  of  Flomeland 
Security  10  Print  Scanner  User  Group  in  2005,  spawned  a  new  generation  of  compact  livescan 
devices  from  industry.  As  another  example,  U.S.  NIST  is  currently  benchmarking  and  attempting 
to  improve  the  state-of-the-art  in  face  and  iris  recognition  technology  through  its  Multiple 
Biometric  Grand  Challenge  (MBGC),  which  aims  to  “investigate,  test  and  improve  performance 
of  face  and  iris  recognition  technology  on  both  still  and  video  imagery  through  a  series  of 
challenge  problems  and  evaluation.”  The  people  which  contribute  to  these  efforts  include  the 
government  portfolio  managers,  researchers,  technology  developers  and  engineers  who  define  the 
requirements,  execute  the  evaluations  and  produce  the  technologies. 

Additionally,  general  increases  in  computing  speed  and  memory  technologies  continually 
improve  overall  performance  of  biometric  systems. 

People,  processes  and  tools,  which  could  contribute  to  the  goals  of  the  Study  of  increasing  use  of 
biometrics  for  authentication,  include  the  following: 

•  Going  forward,  through  its  role  in  producing  IT  security  guidance  for  the  Government  of 
Canada  and  private  industry,  CSEC  can  utilize  the  existing  ITSG  development  process  to 
create  more  comprehensive,  actionable  guidance  that  IT  security  practitioners  can  use.  In 
addition  to  ITSG  documents,  guidance  can  take  the  form  of  checklists  and  procedures  as 
tools  that  help  decision-makers  in  deciding  whether  or  not  biometrics  are  appropriate  for 
their  deployment. 

•  Members  of  the  biometrics  CoP  can  help  promote  the  results  of  the  Study  and  the  use  of 
biometrics  in  IT  system  access  control  applications  within  their  respective  organizations. 
They  can  also  apply  additional  tools  for  spreading  the  use  of  biometrics  such  as:  workshops 
at  IT  security  conferences,  disseminating  guidance  across  IT  security  working  groups,  and 
generating  internal  guidance  and  memoranda  as  appropriate. 

•  To  produce  guidance  that  is  based  on  science-based  metrics  and  evaluations,  a  more  in- 
depth  experimental  test  comparing  biometrics  to  other  forms  of  authentication  can  be 
developed  and  executed.  Such  a  test  could  be  based  on  the  biometrics  vs.  passwords 
comparative  evaluation  performed  as  part  of  this  Study. 
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Annex  B  Project  Performance  Summary 


B.1  Technical  Performance  Summary 

All  milestones  for  the  Study  were  completed,  and  all  deliverables  were  delivered.  The  objectives  of  the 
Study  were  met  by  initiating  scope  changes  to  address  them  better.  These  included: 

•  The  focus  on  links  between  system  performance  and  security  strength  of  function  (SoF)  was  de- 
emphasized,  as  these  links  were  previously  explored  by  other  efforts.  This  was  replaced  by  a  more 
practical  comparison  of  the  utility  of  biometrics  vs.  passwords. 

•  The  practical  evaluation  of  techniques  for  enhancing  biometric  security  such  as  biometric  encryption 
and  cancellable  templates  was  de-emphasized.  This  was  replaced  with  a  practical  biometrics  vs. 
usemame/password  evaluation,  which  was  more  applicable  to  the  objectives  of  the  Study. 


B.2  Schedule  Performance  Summary 

Due  to  contract  delays,  the  project  schedule  was  halved,  starting  in  Q3  instead  of  Ql.  This  resulted  in  a 
compression  of  the  original  schedule.  To  make  up  for  lost  time,  instead  of  conducting  the  Study  phases 
sequentially,  parts  of  three  originally  proposed  phases  were  combined,  and  the  biometric  vulnerabilities 
framework  was  developed  concurrently  with  the  evaluation  of  representative  technologies. 

B.3  Cost  Performance  Summary 

The  Study  was  completed  within  the  originally  proposed  budget.  During  the  course  of  the  Study,  it  was 
determined  that  the  in-kind  contributions  of  equipment  from  CSEC,  as  well  as  the  representative 
technologies  from  priv-ID  and  GenKey,  were  not  appropriate  for  the  realigned  focus  on  the  Study.  These 
in-kind  amounts  were  subtracted  accordingly. 


DRDCCSS  CR  2011-19 


21 


Annex  C  Publications,  Presentations,  Patents 


At  the  time  of  publication,  no  additional  publications,  presentations  or  patents  had  been  created 
based  on  the  work  of  the  Study;  however,  the  Study  team  expects  to  present  results  at  the  Public 
Security  S&T  Summer  Symposium  2011  in  June. 
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systems  and  e-Govemment  services,  the  Study  Team  for  PSTP-02-336BIOM  developed  a 
framework  for  addressing  biometric  vulnerabilities,  researched  case  study  examples  of  existing 
deployed  biometric  systems,  and  conducted  a  small-scale  evaluation  to  compare  the  utility  of 
biometrics  vs.  passwords. 

In  developing  the  framework,  the  Study  Team  researched  existing  biometric  evaluation 
frameworks  to  identify  gaps,  and  synthesized  a  practical  framework  aimed  at  an  audience  of  IT 
security  practitioners,  with  the  intent  of  addressing  the  growing  use  of  biometrics  in  government 
applications  and  the  implications  that  it  has  on  IT  systems  security. 

The  Study  Team  also  conducted  a  preliminary  comparative  evaluation  of  the  utility  of 
biometrics  vs.  passwords  as  a  single-factor  authentication  method  using  experimental  test  trials 
and  a  user  survey.  Comparison  criteria  included:  whether  or  not  user  access  is  granted,  number 
of  attempts,  and  usability.  The  evaluation  confirmed  experimentally  that  single-factor  biometric 
technology  is  a  viable  and  user-accepted  means  of  authentication  for  IT  system  access  that  is  at 
least  as  fast  and  reliable  as  username-password  methods. 

Resume  Pour  atteindre  Tobjectif  de  la  communaute  des  praticiens  (CP)  d’evaluer  Tutilite  des 
techniques  de  biometrie  qui  pourraient  etre  utilisees  pour  ameliorer  la  securite  des  systemes 
informatiques,  y  compris  les  systemes  SCADA  (telesurveillance  et  acquisition  de  donnees),  et 
les  services  e-gouvemement,  Tequipe  d’etude  pour  PTSP-02-336BIOM  a  elabore  un  cadre  pour 
s’attaquer  aux  vulnerabilites  biometriques,  a  fait  des  recherches  sur  des  etudes  de  cas  des 
systemes  biometriques  existants  deployes,  et  a  mene  une  evaluation  a  petite  echelle  pour 
comparer  Tutilite  de  la  biometrie  contre  les  mots  de  passe. 

Dans  T  elaboration  du  cadre,  Tequipe  d’etude  a  fait  des  recherches  sur  des  cadres  devaluation 
biometrique  existants  pour  identifier  les  lacunes,  et  a  synthetise  d’un  cadre  pratique  destine  aux 
professionnels  de  la  securite  de  technologies  de  Tinformation  (TI),  avec  Tintention  de  s’attaquer 
a  Tutilisation  croissante  de  la  biometrie  dans  les  applications  gouvemementales  et  les 
consequences  qu’elle  a  sur  les  systemes  de  securite  de  TI. 

L’equipe  d’etude  a  egalement  effectue  une  evaluation  comparative  preliminaire  de  Tutilite  de  la 
biometrie  contre  les  mots  de  passe  en  tant  que  methode  d’authentification  a  un  seul  facteur  a 
l’aide  d’essais  experimentaux  et  une  enquete  aupres  des  utilisateurs.  Les  criteres  de 
comparaison  ont  compris  :  si  ou  non  l’acces  des  utilisateurs  est  accorde,  le  nombre  d’essais,  et  la 
facilite  d’utilisation.  L’evaluation  a  confirme  experimentalement  que  la  technologie  biometrique 
seul-doigt  est  un  moyen  viable  et  acceptee  par  Tutilisateur  d’authentification  pour  l’acces  au 
systeme  informatique  qui  est  au  moins  aussi  rapide  et  Liable  que  les  methodes  de  nom 
d’utilisateur-mot  de  passe. 
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